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Abstract 

Many existing algorithms for model checking of infinite-state sys- 
tems operate on constraints which are used to represent (potentially 
infinite) sets of states. A general powerful technique which can be 
employed for proving termination of these algorithms is that of well 
quasi-orderings. Several methodologies have been proposed for deriva- 
tion of new well quasi-ordered constraint systems. However, many of 
these constraint systems suffer from a "constraint explosion problem" , 
as the number of the generated constraints grows exponentially with 
the size of the problem. In this paper, we demonstrate that a refine- 
ment of the theory of well quasi-orderings, called the theory of bet- 
ter quasi-orderings, is more appropriate for symbolic model checking, 
since it allows inventing constraint systems which are both well quasi- 
ordered and compact. As a main application, we introduce existential 
zones, a constraint system for verification of systems with unbound- 
edly many clocks and use our methodology to prove that existential 
zones are better quasi-ordered. We show how to use existential zones in 
verification of timed Petri nets and present some experimental results. 
Also, we apply our methodology to derive new constraint systems for 
verification of broadcast protocols, lossy channel systems, and integral 
relational automata. The new constraint systems are exponentially 
more succinct than existing ones, and their well quasi-ordering cannot 
be shown by previous methods in the literature. 



1 Introduction 



A major current challenge in automatic program verification is to extend 
model checking CES86, QS82| to transition systems with infinite state 



'Parts of this paper have appeared in Proc. LICS'2000, 14th IEEE Int. Symp. on 
Logic in Computer Science, and Proc. ICATPN'2001, 22nd Int. Conf. on application and 
theory of Petri nets. 
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spaces. Standard techniques such as reachability analysis and tableau proce- 
dures can be adapted, by using constraints to represent (potentially infinite) 
sets of states. These algorithms are based on two operations, namely that of 
computing predecessors or successors of sets of states (represented by con- 
straints), and that of checking for termination (formulated as entailment be- 
tween constraints). Since the number of constraints is not a priori bounded, 
a key problem when applying the algorithms, is to guarantee termination. 
A general powerful tool which can be applied for proving termination is to 
show that t he set of constraints is well quasi-ordered under entailment. In 
AC.TYK9fil lA.TDlj . a constraint based backward reachability algorithm is 
presented. Furthermore, a methodology is defined for inventing well quasi- 
ordered constraint systems. The key idea is to start from a set of "basic" 
constraints, and repeatedly derive new ones, using the fact that well quasi- 
orderings are closed under certain operations on constraints such as building 
finite trees, words, vectors, multisets, sets, etc. The methodology has been 
applied both to unify earlier existing results for Petri nets, timed automata, 
lossy channel systems, completely specified protocols, relational automata, 
etc, and to design verification algorithms for new classes of systems such 
as timed networks A J98 , broadcast protocols |EFM991 IDEP99) , and cache 
coherence protocols |Del00j . However many of the constraint systems con- 
structed according to this method, suffer from a "constraint explosion" prob- 
lem, as the number of constraints generated when computing predecessors 
(successors) grows exponentially with the number of components. 

In this work, we demonstrate that a refinement of the theory of well quasi- 
orderings, called the theory of better quasi- ordering s |Mil85| Pou85 j is more 
appropriate for symbolic model checking, as it allows for constraint sys- 
tems which are more compact and hence less prone to constraint explosion. 
More precisely, better quasi-orderings offer two advantages: (i) better quasi- 
ordering implies well quasi-ordering; hence all the verification algorithms 
originally designed for well quasi-ordered constraint systems are also appli- 
cable to better quasi-ordered ones; and (ii) better quasi-orderings are more 
"robust" than well quasi-orderings. For instance, in addition to the above 
mentioned operations, better quasi-ordered constraint systems (in contrast 
to well quasi-ordered ones) are closed under disjunction: if a set of con- 
straints is better quasi-ordered under entailment, then the set of finite dis- 
junctions of these constraints is also better quasi-ordered under entailment. 
In this paper, we provide several examples which show that using disjunction 
often leads to very compact constraint systems. 

First, we propose a new constraint system, which we call existential zones, 
for verification of systems with unboundedly many clocks such as timed net- 
works AJ98 and timed Petri nets (Section EJ. Such systems cannot be 
modelled as real-time automata, since the latter operate on a finite set of 
clocks. An existential zone specifies a minimal required behaviour, typically 
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of the form 3x\X2 '■ 3 < X2 — x\ < 8, characterizing the set of configurations 
in which there exist at least two clocks whose values differ by at least 3 and 
at most 8. Existential zones are related to existential regions, which are used 
in [A"J98 for verification of timed networks. Existential regions are better 
quasi-ordered since they are constructed by repeatedly building words, mul- 
tisets, and sets. Each existential zone is equivalent to the disjunction of a 
finite number of existential regions. Since better quasi-orderings are closed 
under disjunction, it follows that existential zones are better quasi-ordered 
(and hence well quasi-ordered). The wel l quasi-orde ring of existential zones 
cannot be shown using the approach of |AC.TYK96| lAJOT] IFS98j . since well 
quasi-orderings in general are not closed under disjunction. In fact, an exis- 
tential zone is often equivalent to the disjunction of an exponential number 
of existensial regions, thus offering a much more compact representation (in 
the same manner that zones are more efficient than regions in verification 
tools for real-time automata |LPY971 IYov97j ) . We can extend the results 



further and consider "existential variants" of CDDs B LP + 99 and DDDs 
|MLAH9~9] - constraint systems which are even more compact than zones. 
We have implemented a prototype based on existential DDDs, and carried 
out a verification of a parametrized version of Fischer's protocol. While the 
set of constraints explodes when using existential regions, our tool performs 
the verification in a few seconds. 

We also consider broadcast protocols, which consist of an arbitrary num- 
ber of finite-state processes, communicating through rendezvous or through 
broadcast. In EFM99 safety properties are checked, using constraints which 
characterize upward closed sets of vectors of natural numbers. In DEP99 
several new constraint systems are proposed, represented by different forms 
of linear inequalities over natural numbers. Since the new constraint systems 
cannot be constructed from upward closed sets using the previously men- 
tioned constraint operations, these classes require an explicit termination 
proof for the underlying reachability algorithm. Applying our methodology 
we are able to prove well quasi-ordering of these constraint systems in a uni- 
form manner. More precisely, the upward closed sets are characterized by 
constraints which are vectors of natural numbers and hence are better quasi- 
ordered. Using the fact that each inequality is a finite union (disjunction) 
of upward closed sets, we conclude that they are also better quasi-ordered 
(and hence well quasi-ordered). 

Finally, we provide new better quasi-ordered constraint systems for veri- 
fication of lossy channel systems AJ96 and integral relational automata 



Cer94j . The new constraint systems are exponentially more succinct than 



existing ones. 
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Related Work The first work which applies well quasi-orderings in sym- 
bolic model checking is reported in |A J93j . The main contribution was 
an algorithm for checking safety properties for lossy channel systems. The 
idea of the algorithm is to perform backward reachability analysis using the 
fact that the underlying transition relation is monotonic under a given well 
quasi-ordering. 

Independently, Finkel Fin94 used well quasi-orderings for checking termi- 
nation properties. This algorithm uses forward analysis and is therefore not 
sufficiently powerful for verification of safety properties. 

The method of [Al93j was extended in |AC.TYK96| into a general framework 
for verification of relational automata, (Timed) Petri nets ; timed networks, 
etc. In FS98 j the monotonicity conditions of |AC.TYK96| were further re- 
laxed extending applicability to new classes of systems. 

To our knowledge this work is the first application of the theory of better 
quasi-orderings in the context of symbolic model checking. 

Existential zones are variants of zones, a symbolic representation used in 
several tools for verification of timed automata, e.g. KRONOS Yov9tj and 
UPPAAL |LPY97j . However, zones characterize finite sets of clocks and 
therefore cannot be used to analyze timed Petri nets. 

A model close to timed Petri nets, timed networks, was considered in [\J03 . 
A timed network consists of an arbitrary number of timed processes and 
hence contain an unbounded number of clocks. The constraint system used 
in that work was that of existential regions, a constraint system that is far 
less efficient than existential zones and the number of existential regions 
generated during analysis explode even on small applications. 

Most earlier work on studying decidability issues for timed Petri nets, e.g. 
|HP85I IMD911 K;MMP91I IK.hX ?99j . either report undecidability results or 
decidability under the assumption that the net is bounded. A work closely 
related to ours is dFERAOO . The authors consider the coverability problem 
for a class of timed Petri nets similar to our model. The main difference is 
that in |dFERA00| . it is assumed that the ages of the tokens are natural 
numbers. Furthermore, it is not evident how efficient the constraint system 
is in practical applications. 

Outline In the next Section we introduce the notions of constraints and 
well quasi-orderings. In Section|3]and Section0]we give the basics of the the- 
ory of better quasi-orderings and its application in model checking. Timed 
Petri nets are defined in Section [5] and in Sectional we introduce existential 
zones and show how they can be used in the analysis of timed Petri nets. 
The results of our experiments are described in Section In Section El 
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Section Inland Sectional we provide better quasi-ordered constraint systems 
for the verification of broadcast protocols, lossy channel systems and inte- 
gral relational automata, respectively. Finally in Section ^2 we give some 
conclusions and directions for future work. 



2 Constraints and WQOs 

In this section, we introduce the notions of constraints and well quasi- 
orderings, and describe how to use them for performing symbolic model 
checking. We assume a transition system (r, — >), where T is a potentially 
infinite set of configurations, and — ► is a transition relation on T whose 
reflexive transitive closure is denoted by — — 



Constraints We use constraints <p for representing sets \(p\ of configura- 
tions. We define an entailment relation ^ on constraints, where (pi H <p2 
iff \4>2\ C [<^i], and let = be the equivalence relation induced by <. We 
sometimes write disjunctions (pi V • • • V (p n of constraints as V {(pi, ■ ■ ■ , 4> n }- 
For sets 3>i, $2 of constraints, we let <l>i C $2 denote that for each <p2 G ^2 
there is a <pi G $1 with (pi -< <p 2 . Notice that <3?i C $ 2 implies V$j ■< V$ 2 - 



Reachability In the sequel, we concentrate on the reachability problem: 
given a configuration 7^ and a constraint (pp, is there 7^ G [</>f] such that 
7im« — — * 7f? We perform a backward reachability analysis, generating a 
sequence $0 ^ 3>i ^ ^2 £ • • • of finite sets of constraints where $0 = {<Pf} 
and = U Pre(&j). Here Pre($) = \J^Pre((p), where Pre((p) is 

a finite set of constraints, such that [V Pre (</!>)] = {7'! 37 G [</>]. 7' — ► 7}. 
For all the constraint systems we consider in this paper, the set Pre((p) 
exists and is computable. Since $0 3 $1 3 $2 3 ■ • ■ , the algorithm termi- 
nates when we reach a point j where $j C (implying V^j+i = V#j). 
Then, $j characterizes the set of all predecessors of (pp (sometimes written 
as Pre* {<Pf))- This means that the answer to the reachability question is 
equivalent to whether 7^ G [V^-J. We observe that, in order to be able 
to implement the algorithm for a given class of systems, the constraint sys- 
tem should allow (i) computing Pre((p), (ii) checking entailment between 
constraints, and satisfiability of a constraint by a configuration. 

To show termination we rely on the theory of well quasi- ordering s (wqo). A 
constraint system is said to be well quasi-ordered if for each infinite sequence 
60, (pi, (p2-> ■ ■ ■ of constrain ts, there are i < j with (pi < (pj. The following 



lemma (from |AC.TYK96j ) characterizes the class of constraint systems for 



which termination is guaranteed. 
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Lemma 2.1. A constraint system is well quasi-ordered iff for each infinite 
(C-increasing) sequence ^o^i^^C'" of constraint sets, there is a j 
such that <£j C 3>j+i. 



Remark on Well Quasi-Ordered Transition Systems Alternatively, 
we can con sider transition systems (T, — >) which are well quasi- ordered 
|AC.TYK96l IA.I0U ESUj. This means that the set V of configurations is 



equipped with a well quasi-ordering such that the transition relation is 
monotonic with respect to ^r- Iri other words, for configurations 71,71,72, 
if 7i 7i and 71 — ► 72 then there is a configuration 72 such that 72 rf>r 72 
and 7[ — ► 7 2 . We can now develop a theory based on well quasi-ordered 
transitions systems rather than well quasi-ordered constraint systems. The 
two theor ies are intim ately related and yield identical model checking al- 
gorithms [ACJYK96 lAJOlj . All constraints which we we will consider in 



this paper characterize sets of configurations which are upward closed with 
respect to ^r- This means that the reachability problem described above 
in fact asks about reachability of sets of states which are upward closed sets 
of states rather than that of a single state. This offers two advantages: 

• Checking safety properties amounts to upward closed set reachability. 
More precisely, the states in [7^] are usually taken to be bad states 
that we do not want to occur during an execution. Using standard 
techniques }GW93| VW86 , we can reduce several classes of safety 
properties to the reachability problem. 

• Single state reachability is more difficult to solve. For instance, in the 
context of Petri nets, upward closed set reachability amounts to cov- 
erability. In timed Petri nets, single state reachability is undecidable 
|RFC99j . while we show in this paper that coverability is decidable. 



3 Basics of BQOs 

In this section, we introduce the basic definitions and properties of better 
quasi-orderings. We let Af denote the set of natural numbers, and let N <w 
{Af^) denote the set of finite (infinite) strictly increasing sequences over Af. 
For s G Af <ul , we let X(s) be the set of natural numbers occurring in s, and 
if s is not empty then we let tail(s) be the result of deleting the first element 
of s. For si G Af <w and s 2 G N <u UAf", we write si < s 2 to denote that si 
is a proper prefix of s 2 . If s\ is not empty then we write s± <C* s 2 to denote 
that tail(si) <ti s 2 . An infinite set j3 C J\f <w is said to be a barrier if the 
following two conditions are satisfied. 

• There are no s±,s 2 G (3 such that A(si) C X(s 2 ). 
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• For each S2 € N u there is s\ € (3 with s± <C S2- 

Let (A, ^n) be a quasi-ordering, i.e., ^ is a reflexive and transitive relation 
on A. An A-pattern is a mapping f : /3 —> A, where [3 is a barrier. We say 
that / is good if there are si,S2 £ /? such that si <C* S2 and /(si) ^ f(s2)- 
We say that (A, ■<) is a better quasi- ordering (bqo) if each ^4-pattern is good. 

We use A w to denote the set of infinite sequences over A. For w £ ^4^, we 
let itf(z') be the the element of w. For a quasi-ordering (A, H), we define 
the quasi-ordering (^4 W , where uii -< u W2 if and only if there is a strictly 
monotone 1 injection h : Af — ► M such that w\(i) H W2(h(i)), for each i G A/". 

We shall use the following two properties (from pvlil85 ) 
Lemma 3.1. 

• If (5 is a barrier and /3 = /?i U /?2, then there is a barrier a such that 
ct Q 01 or a C /?2. (using induction on n we can generalize this 
property to /3 = f3\ U • • • U f5 n ). 

• If (A, ^) is bqo then (A", ^) is bqo 

4 Application of BQOs 

As evident from Lemma 12.11 well quasi-ordering is crucial for termination 
of the symbolic algorithm presented in Section |2j Furthermore, three other 
properties of a given constraint system decide how efficient the algorithm 
may run in practice. These properties are the size of the set Pre(4>), the cost 
of checking entailment and memb ership, and the number of iterations needed 
before achieving termination. In |AC JYK961 IA JOll IFS 98 . a methodology is 
defined for inventing well quasi-ordered constraint systems, based on the fact 
that all finite domains are well quasi-ordered under equality, and that well 
quasi-orderings are closed under a basic set of operations including building 
finite trees, words, vectors, multisets, sets, etc. This means that we can start 
from a set of constraints over finite domains, and then repeatedly generate 
new constraints by building more compound data structures. A typical 
application of this approach is a constraint system, called existential regions, 
introduced in for verification of systems with unboundedly many 

clocks. However, constraints developed according to the above methodology 
suffer from "constraint explosion" caused by the size of the set Pre(4>). For 
instance, using existential regions, the set of generated constraints explodes 
even for very small examples. Often, the constraint explosion can be much 
reduced, by considering new constraint systems, which are disjunctions of 

1 meaning that h{j\) < h(j2) if and only if ji < j% 
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the ones derived using the above mentioned set of operations. In Section H3 
we present existential zones each of which corresponds to the disjunction of 
a (sometimes exponential) number of existential regions. Thus, existential 
zones offer a much more compact representation, allowing us to verify a 
parameterized version of Fischer's protocol in a few seconds. As we show 
in this section, well quasi-ordered constraint systems are not closed under 
disjunction, and hence we cann ot prove w ell quasi-ordering of existential 
zones within the framework of |AC.TYK96[ IA.70H IFS98j . 

Instead of wqos, we propose here to use an alternative approach based on 
bqos. In Theorem 14.11 we state some properties of bqos which make them 
attractive for symbolic model checking. In the rest of this section we write 
(A, ■<) to denote a quasi-ordering ^ on a set A. Let A* denote the set of 
finite words over A, and let ^4® denote the set of finite multisets over A. For 
a natural number n, let n denote the set {1, . . . , n}. An element w of A* and 
of ^4® can be represented as a mapping w: \w\ i— > A where is the size of 
the multiset or the length of the sequence. Given a quasi-order ■< on a set 
A, define the quasi-order on A* by letting w w' if and only if there 
is a strictly monotone injection h: \w\ i— » \w'\ such that w(j) ^ w'(h(j)) 
for 1 < j < \w\. Define the quasi-order ^® on A® by w^®w' if and only 
if there is a (not necessarily monotone) injection h: \w\ i— > \w'\ such that 
w(j) ■< w'(h(j)) for 1 < j < \w\. 

In the following theorem we state some properties of bqos which we use later 
in the paper. The proof of property |S] is in |Mar99j . We use V{A) to denote 
the powerset of A. 

Theorem 4.1. 

1. Each bqo is wqo. 

2. If A is finite, then (A, =) is bqo. 

3. If (A, r<) is bqo, then (A*, <*) is bqo. 

4. If (A, ^) is bqo, then (A®, ^®) is bqo. 

5. If (A, X) is bqo, then (V(A), Q is bqo |Ma,r99] 2 . 

Proof. We show properties HHll 

Follows immediately from definitions of bqo and wqo. 

121 Consider (A, =) where A = {a%, . . . , a n } is finite. Let /:/?—> A be an 
A-pattern. Define = /^ 1 (aj), for i : 1 < i < n. By Lemma 13. II there is a 
barrier a C fy, for some i : 1 < i < n. Take any s\ E a and any S2 € Af^, 

2 |,Tan99| provides a proof for a weaker version of the theorem, namely that bqo of 
(A, X) is sufficient for wqo of (V(A), p. 
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Figure 1: A graphic illustration of [<fe,5] an d [V's]- Filled circles represent 
points satisfying the corresponding constraint. 



where s± <C* S2- Since a is a barrier, we know that there is S3 G a such that 
S3 <C S2, and that S3 % s\. It follows that s\ <C* S3 and hence / is good. 

01 Suppose that (A, X) is bqo. We show that (A*, :<*) is bqo. Take any 
b £ A. For w £ A*, we let w 1 denote wbf (i.e., we add infinitely many 
b:s to the end of w). It is clear that w\ ■<* u>2 if and only if w' 1 < u w' 2 - 
Let / : (3 — > A* be an ^4*-pattern. We know that f : /3 A u , where 
f'(s) = w' iff /(s) = vu, is an j4 w -pattern. By Lemma \'AA\ it follows that 
there are si,S2 € (3 such that si <C* s 2 and f'(si) < w f'(s2), and hence 
^* f( s 2)- This means that / is good. 

H Follows from |3 □ 

Since bqo is a stronger relation than wqo (property it follows by 
Lemma 12. II that, to prove termination of the reachability algorithm of Sec- 
tion [2 it is sufficient to prove bqo of constraints under entailment. All 
co nstraint syst ems derived earlier in the literature based on the approach 
of |AC.TYK9fil [Alfvn IFB5E| ) use properties and H This implies that 
all these constraint systems are also bqos. An immediate consequence of 
property El is that bqo of a set of constraints implies bqo of disjunctions of 
these constraints. 

In the next sections, we introduce several constraint systems applying the 
following two steps. 

1. We show better quasi-ordering of a constraint system Ci using prop- 
erties El |31 and E] in Theorem 14. II (following a similar methodology to 
that described in [AC.TYK961 lAloTl IFS98] 1 . 

2. We use propertyElto derive better quasi-ordering of a new more com- 
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pact constraint system C2 denned as disjunctions of constraints in Ci. 

We notice that, although C2 is more compact, the computational complexity 
for checking membership and entailment may be higher for C2 than for 
Ci. Furthermore, the reachability algorithm of Section needs in general 
a higher number of iterations in case C2 is employed. However, in almost 
all cases, the compactness offered by C2 is the dominating factor in the 
efficiency of the algorithm. 

As mention ed earlier, an important difference compared to the approach of 
[AC.TYK961 IA.J Oil IFS98] ) is that Step 2 (taking disjunction) cannot be per- 
formed within that framework. This is illustrated by the following example, 
which shows that wqos in general are not closed under disjunction. 

Example 4.2. [Rado's Example] Consider the the set X = 

{(a, b)\a<b} C J\f 2 . Define a set Ci = {<f> a ,b\ {a,b) £ X} of con- 
straints, such that the denotation [0 a &] C X of <p a ^ is the set 
{(c, d) I (c > b) V ((c = a) A (d > b))}. It is straightforward to check that Ci 
is wqo: suppose that we have sequence (j) ai >bl , (f> a2tb2 , ■ ■ where (p aubi ^ (f) a . ib . 
if i < j. Consider the sequence (ai, 61) , (02, 62) } • • •• First, we show that 
a,- < b\ for all j > 1. If this is not the case, then let b\ < a,-. We 
show that this implies (f> ai ,bi ^ <Pa,b which is a contradiction. Take any 
(c,d) £ I4> a •,&•]• Then, either c > bj or (c = dj) A (d > bj). In both cases, 
we show that c > a\ and hence (c, d) G [^01 ,61 1- 

• c > bj. We have bj > dj and b\ > a± by definition, and dj > b\ by 
assumption. It follows that c > a\. 

• (c = dj) A {d > &,). We know that &i > ai by definition, and aj > 61 
by assumption. It follows that c> a±. 

Since cij < b\ for all j > 1, we have a subsequence of the form 
(a, bi ± ) , (a, 6j 2 ) , . . ., and hence there are k and £ such that bi k < bi e which is 
a contradiction. 

Now, we consider a set C2 of constraints of the form ipj, where V'j = 0Oj' V 
• • • \f(j}j-i t j. The sequence ipi, ip2, ■ ■ ■ violates the wqo property, since for each 
k, £ : k < £, we have (k,£) G {ip e j, but (k,£) g" [if) k ], and hence [^J % [^ fe J. 
In Figure we give graphic illustrations of [^2,5] and [^5]. 

□ 

5 Timed Petri Nets 

We consider Timed Petri Nets (TPNs) where each token is equipped with a 
real-valued clock representing the "age" of the token. The firing conditions 
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of a transition include the usual ones for Petri nets. Furthermore, each arc 
between a place and a transition is labeled with a subinterval of the natural 
numbers. When a transition is fired, the tokens removed from the input 
places of the transition and the tokens added to the output places should 
have ages lying in the intervals of the corresponding arcs. 

We let Z and 1Z- denote the sets of integers, and nonnegative reals respec- 
tively. Recall that M denotes the set of natural numbers. 

We also recall that ^4® denotes the set of finite multisets over A. Often, we 
view a multiset B over a set A as a mapping from A to J\f . Sometimes we 
write multisets as lists, so e.g. (2.4, 5.1, 5.1, 2.4, 2.4) represents a multiset B 
over where B(2A) = 3, 5(5.1) = 2 and B(x) = for x / 2.4,5.1. We 
may also write B as (2.4 3 ,5.1 2 ). For multisets B\ and B2 over a set A, we 
say that B\ < B2 if Pi (a) < P2(a) for each a G A. We define B\ + B2 to be 
the multiset B where B(a) = B\{a) + ^(a), and (assuming B\ < B2) we 
define B2 — Pi to be the multiset B where B(a) = #2(0) — Bi(a), for each 
a G A. We use to denote the empty multiset, i.e., 0(a) = for each a G A. 

We use a set Intrv of intervals. An open interval is written as (w, z) where 
w G M and z G N U {00}. Intervals can also be closed in one or both 
directions, e.g. [w,z) is closed to the left. For x G 1Z- , we write x G [a,b] 
to denote that a < x < b. 

A Timed Petri Net (TPN) is a tuple N = (P, T, In, Out) where P is a finite 
set of places, T is a finite set of transitions and In, Out : T x P ^ Intrv®. 
If In(t,p)(2) ^ (Out(t,p)(l) / 0), for some interval 2, we say that p is an 
input (output) place of t. 

Markings A marking M of N is a finite multiset over P x TZ-°. The 
marking M defines numbers and ages of the tokens in each place in the 
net. That is, M(p,x) defines the number of tokens with age x in place 
p. For example, if M = ({pi, 2.5) , (pi, 1.3) , (p2, 4.7) , (p 2 , 4.7)), then, in the 
marking M, there are two tokens with ages 2.5 and 1.3 in p\, and two 
tokens each with age 4.7 in the place p2- Abusing notation, we define, for 
each place p, a multiset M(p) over TZ-°, where M(p)(x) = M(p,x). Notice 
that untimed Petri nets are a special case in our model where all intervals 
are of the form [0, 00). 

Transition Relation We define two types of transition relations on mark- 
ings. A timed transition increases the age of all tokens by the same real num- 
ber. Formally Mi — > Time M 2 if M 1 is of the form ({pi, x{) (p n , x n )), 
and there is 5 G 1Z- such that M2 = ((pi,xi + 5) , . . . , (p n , x n + 5)). 

We define the set of discrete transitions — >Disc as U*gt — y t, where — >t 
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represents the effect of firing the transition t. More precisely, we define 
M\ — >t M2 if, for each place p with In(t,p) = (Ix, . . . ,I m ) and Out(t,p) = 
( Ji, ■ ■ ■ , J n ), there are multisets Bi = {x\, . . . , x m ) and B 2 = (yx, ■ ■ ■ , y n ) 
over 1Z- , such that the following holds. 

• Bi < Mx(p). 

• Xi G Xj, for i : 1 < i < m. 

• Hi € Ji, for i : 1 < i < n. 

• M 2 (p) = (Mx(p) - Bx) + B 2 . 

Intuitively, a transition t may be fired only if for each incoming arc to the 
transition, there is a token with the "right" age in the corresponding input 
place. This token will be removed from the input place when the transition 
is fired. Furthermore, for each outgoing arc, a token with an age in the 
interval will be added to the output place. We define the relation — > to be 

> Time U *Disc- 

For a set M of markings we let Pre(M) denote the set 
{M\ 3M' E M. M — ► M'}, i.e., Pre(M) is the set of markings from 
which we can reach a marking in M through the application of a single 
(timed or discrete) transition. 

A set M of markings is said to be upward closed if it is the case that M € M 
and M < M' imply M'eM. 

Coverability The coverability problem is defined as follows: Given a TPN 
N, a marking Mi n a of N, and an upward closed set M^ n of markings of N, 
is there an M € M^ n such that Mj n # — —> Ml 

Using standard techniques |VW86l E"W-93j ■ we can show that checking sev- 
eral classes of safety properties for TPNs can be reduced to the coverability 
problem. In the next section, we define constraints called existential zones. 
In our reachability algorithm, we use an existential zone to characterize the 
set M fin . 

Example Figure [21 shows an example of a TPN where P = {A,B,C} 
and T = {a,b,c}. For instance, In(a) = ((£?, [5, 7])) and Out(b) = 
((B, [0, 0]) , (C, [0, 0])). The initial marking of this net is the marking 
Mi n it = ((^4,0.0)) with only one token with age in place A. 

Remark 1 For simplicity of presentation we use only non-strict inequal- 
ities. All the results can be generalized in a straightforward manner to 
include the more general case, where we also allow strict inequalities. 
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Figure 2: A small timed Petri net. 



Remark 2 Notice that, in our definition of the operational behaviour of 
TPNs, we assume a lazy (non-urgent) behaviour of the net. This means that 
we may choose to "let time pass" instead of firing enabled transitions, even if 
that makes transitions disabled due to some of the needed tokens becoming 
"too old". Tokens that are too old to participate in firing transitions are 
usually called dead tokens. In an urgent TPN, timed transitions that cause 
dead tokens are not allowed. This means that the set of transitions of an 
urgent TPN is a subset of the set of transitions of the corresponding lazy 
TPN. Therefore, if a set of markings is not reachable in the lazy TPN it is 
not reachable in the urgent TPN either. In other words safety properties 
that hold for the lazy TPN also hold for the urgent TPN. 



6 Existential Zones 



In this section we introduce a constraint system called existential zones. In- 
tuitively, an existential zone characterizes an upward closed set of markings. 
An existential zone Z represents minimal conditions on markings. More 
precisely, Z specifies a minimum number of tokens which should be in the 
marking, and then imposes certain conditions on these tokens. The con- 
ditions are formulated as specifications of the places in which the tokens 
should reside and restrictions on their ages. The age restrictions are stated 
as bounds on values of clocks, and bounds on differences between values of 
pairs of clocks. A marking M which satisfies Z should have at least the 
number of tokens specified by Z. Furthermore, the places and ages of these 
tokens should satisfy the conditions imposed by Z. In such Si CclSG, M may 
have any number of additional tokens (whose places and ages are irrelevant 
for the satisfiability of the zone by the marking) . 

For a natural number n, we let n° denote the set {0, 1, 2, . . . , n}, and let n 1 
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x2 



x1 

Figure 3: Example of restrictions on ages of tokens. 



denote the set {1, 2, . . . , n}. We assume a TPN (P, T, In, Out). 

An existential zone Z is a triple (m, P, P>) , where m is an natural number, P 
(called a placing) is a mapping P : m 1 — > P, and -D (called a difference bound 
matrix) is a mapping D : m° x m° — > AAlJ {oo}. Intuitively, m defines the 
minimum number of tokens in the marking, P maps each token to a place, 
and D defines restrictions on the ages of the tokens in forms of bounds 
on clock values and on differences between clock values. Difference bound 
matrices, or DBMs, are widely used in verification of timed automata, e.g., 
pl89llLPY95j . 

Consider the example from Section 03 Assume that we are interested in 
checking the coverability of markings with at least two tokens, one in place 
B and one in place C, such that the ages of the tokens are at most 8 
and the token in B is at most 4 time units older than the one in C. The 
markings satisfying these constraints can be described by the existential 
zone Z = (2,P,D) where P(l) = B, P(2) = C and D is described by the 
following table where e.g. D(0,i) = and D(2, 1) = 4. 



D = 








1 


2 















8 




8 


2 


8 


4 





Figure 01 shows an illustration of the age restrictions of Z. 

Consider a marking M = ((pi,xi) , . . . , (p n , x n )) and an injection h : m 1 — > 
n 1 (called a witness). We say that M satisfies Z with respect to h, written 
M, h \= Z, if the following conditions are satisfied. 

• P(i) = PhU), for each i : 1 < i < m. 
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• x Hj) ~ x h(i) < D(j,i), for each i,j e m 1 with i ^ j. 

• %h(i) < D(i,0) and —D(0,i) < for each i G m 1 . 

We say that M satisfies Z, written M \= Z, if M, h \= Z for some h. Notice 
that if M satisfies Z then m < n (since h is an injection), i.e., M has at least 
the number of tokens required by Z, and furthermore, the places and ages 
of the tokens satisfy the requirements of Z. We define \Z\ = {M\ M \= Z}. 
Notice that the value of D(i,i) is irrelevant for the satisfiability of Z. 

Membership From the above definitions the following lemma is straight- 
forward. 

Lemma 6.1. For an existential zone Z and a marking M, it is decidable 
whether M \= Z. 

Upward Closedness We observe that Z defines a number of minimal 
requirements on M, in the sense that M should contain at least m tokens 
whose places and ages are constrained by the functions P and D respectively. 
This means the set \Z\ is upward closed since M \= Z and M < M' implies 
M' |= Z. 

Normal and Consistent Existential Zones An existential zone Z = 
(m, P, D) is said to be normal if for each k G m°, we have D(j,i) < 
k) + D(k, i). It is easy to show the following. 

Lemma 6.2. For each existential zone Z there is a unique (up to renaming 
of the index set) normal existential zone, written Z, such that \Z\ = \Z\. 

This means that we can assume without loss of generality that all existential 
zones we work with are normal. 

An existential zone Z is said to be consistent if \Z\ ^ 0. 
6.1 Computing Entailment 

We reduce checking entailment between existential zones into validity of 
formulas in a logic which we here call Difference Bound Logic (DBL). The 
atomic formulas are either of the form v < c or of the form v — u < c, where 
v and u are variables interpreted over 1Z- and c G M. Furthermore the set 
of formulas is closed under the propositional connectives. It is easy to see 
that validity of DBL-formulas is NP-complete. 
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Suppose that we are given two existential zones Z\ = {m,P\,D\) and 
Z2 = (n, P2, D2) ■ We translate the relation Z\ H Z 2 into validity of a 
DBL- formula F as follows. We define the set of free variables in F to 
be i Let -ff be the set of injections from m 1 to n 1 such that 

h € -ff if and only if Pi(i) = -P 2 (/i(i)) for each i € m . We define -F = 
(Fi (VfegH^)), whereFi =FiiAF 12 AFi 3 , and F 2 = F 2i A F 22 A F 23 , 

and 



• 


Fn 




jV< ( w i ~Vi< D 2 (j,i)). 


• 


F\2 


= Aien 1 ( 


Vi < D 2 (i,0)). 


• 


F\z 


= Ajgni ( 


-D 2 (0,i) <vi). 


• 


F21 


Ai.jgm 


(v h (j) -v h{i) < Di(h(j),h(i)j) 


• 


F22 


~~ Aigm 1 


<X>i(h(*),0)). 


• 


F23 


~~ AiGm 1 


(-Z)i(0,/i(i)) <« M0 ). 



This gives the following. 

Lemma 6.3. The entailment relation is decidable for existential zones. 

Notice that in contrast to zones for which entailment can be checked in poly- 
nomial time, the entailment relation for existential zones can be checked only 
in nondeterministic polynomial time (as we have to consider exponentially 
many witnesses). This is the price we pay for working with an unbounded 
number of clocks. On the other hand, when using zones, the size of the 
problem grows exponentially with the number of clocks inside the system. 

6.2 Computing Predecessors 

We define a function Pre such that for a zone Z, the value of Pre(Z) is a finite 
set {Zi, . . . , Z m } of zones. The set Pre(Z) characterizes the set of markings 
from which we can reach a marking satisfying Z through the performance 
of a single discrete or timed transition. In other words Pre{Zj = \Z\\ U 
• • • U [Z m J . We define Pre = Pre Disc U Pre Time , where Pre Disc corresponds 
to firing transitions backwards and Pre Time corresponds to running time 
backwards. 

We define Pre Disc = UtgyPret, where Pret characterizes the effect of running 
the transition t backwards. To define Pret, we need the following operations 
on zones. In the rest of the section we assume a normal existential zone 
Z = (m, P, D^j , and a timed Petri net N = (P, T, In, Out). From Lemma f6.2l 
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we know that assuming Z to be normal does not affect the generality of our 
results. 

For an interval X = [a, b], and i G m 1 , we define the conjunction Z (X, i) 
of Z with X at % to be the existential zone Z' = (m, P, D') , where 

• D'(i,0) = mm(b,D(i,0)). 

• D'(0,i) = mm(-a,D(0,i)). 

• D'(k,j) = D(k,j), for each j,k G m 1 with k / j, (/c,j) / (i,0), and 

Intuitively, the operation adds an additional constraint on the age of token 
i, namely that its age should be in the interval X. For example, for a zone 



Z = 



I 
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2,P, 
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the conjunction Z % ([1, 6], 1) is the zone 



/ 







1 2 \ 


2,P, 







-1 


1 


6 


- 8 
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4 - / 



while the conjunction Z % ([0, 10], 1) = Z. 

For a place p and an interval X = [a, b], we define the addition Z © (p,X) of 
(p, X) to Z to be the existential zone Z' = (m + l,P',D'), and 

• D'(m + 1,0) = b, and D'(0, m + 1) = -a. 

• D'(m + 1, j) = oo, and m + 1) = oo, for each j G m 1 . 

• P'(m + 1) =p. 

• D'(k,j) = D(k,j), for each j, fc G m°, and P'(j') = P(i), for each 
j G m 1 . 

Intuitively, the new existential zone Z' requires one additional token to be 
present in place p such that the age of the token is in the interval X. For 
example, for a zone 

/ I 1 2 \ 

7= 9 P ( 1 ) = B 0-00 
' P(2) = C ' 1 8 - 8 
\ 2 8 4 -/ 
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the addition Z © (A, [1, 2]) is the zone 
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For i G m 1 , we define the abstraction Z\i of z in Z to be the zone Z' = 
(m — 1, P', D') , where 

• D'(j, fc) = D(j, fc), for each j, k G (t - 1) °. 

• fc) = fc + 1) and D'(fc, j) = D(fc + 1, j), for each j G (i - 1) ° 
and fc G {«,..., m — 1}. 

• fc) = D(j + 1, fc + 1), for each j, k G {i, . . . , m - 1}. 

• p'(j) = p(j), for each j G (i - 1)°, and P'(j) = P(j + 1), for j G 
{«,... ,m - 1}. 

Intuitively, the operation removes all constraints related to token i from Z, 
so the number of required tokens is reduced by 1 and the restrictions related 
to the age and place of the token disappear. For example, for a zone 
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the abstraction Z\2 is the zone 

/ 1 1 2 \ 

P(1) = P 0-0-1 

' P(2) = A ' 1 8 - 7 

\ 2 2 2 -/ 

Notice that the existential zones we obtain as a result of performing the 
three operations above need not be normal. 

Now, we are ready to define Pre. 

Lemma 6.4. Consider a TPN N = (P, T, In, Oiti), a transition t £ T, and 
an existential zone Z = (m, P, .D). Let Jn(t) = ((pi,Xi) , . . . , (pk,Ik)), an d 
Out(t) = (((ft, J7i) , . . . , (qe, Jij)- Then Pret(Z) is the smallest set containing 
each existential zone Z' such that there is a partial injection h : m 1 — ► i 1 
with a domain {i±, . . . , z n }, and an existential zone Zi satisfying the following 
conditions. 
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• P(ij) = Qh(ij), for each 3 G at 

• Z <g> (Jh(h),il) ® ■ ■ ■ ® {Jh(i n )^n) is consistent. 

• Zi = z\n\ • • • \i n . 

. z' = z x e (pi, Ji) e • • • e (p fcj J fc ). 

Lemma 6.5. For an existential zone Z = (m,P,D), the set PreTime{Z) is 
the existential zone Z' = (m, P, D'j , where -D'(0, i) = and i) = -D(i, i) 
if j ^ 0, for each i,j € ra", with i ^ j. 

From Lemma 16, 41 and Lemma 16.51 we get the following. 

Lemma 6.6. For an existential zone Z, the set Pre(Z) is computable. 

6.3 BQO 

In order to prove that existential zones are bqo we recall a constraint system 
related to existential zones, namely that of existential regions introduced 
in |A.T9 8 . Let cmax be the largest natural number which appears in the 
intervals of the given TPN (excluding oo). An existential region is a list 
of multisets (Bq, B\, ... , B n , B n+ \) where n > and Bi is a multiset over 
P x cmax . In a similar manner to existential zones, an existential region 
R defines a set of conditions which should be satisfied by a configuration 7 
in order for 7 to satisfy R. Intuitively Bq represents tokens with ages which 
have fractional parts equal to 0. The multisets B±, ... , B n represent tokens 
whose ages have increasing fractional parts where ages of tokens belonging to 
the same multiset have the same fractional part and ages of tokens belonging 
to Bi have a fractional part that is strictly less than the fractional part of 
the ages of those in -Bi+i- Finally the multiset B n+ \ represents tokens with 
ages greater than cmax (regardless of their fractional parts). 

BQO of existential zones follows from the following two arguments: 

1. Existential regions are built starting from finite domains, and repeat- 
edly building finite words, multisets, and sets. From the properties 
mentioned above, it follows that existential regions are bqo. 

2. For each existential zone Z, there is a finite set R of existential regions 
such that Z = \J R. Since bqo is closed under union, it follows that 
existential zones are bqo. 

This implies the following: 

Lemma 6.7. Existential zones are bqo (and hence wqo). 
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7 Experimental Results 

We have implemented a prototype to perform coverability analysis for timed 
Petri nets. In our experimentation we use a constraint system called exis- 
tential DDDs, which is described below. The implementation is based on a 
DDD package developed at Technical University of Denmark ML98 . We 
have used the tool to verify a parameterized version of Fischer's protocol 
SBM92j. 



7.1 Existential CDDs and DDDs 



Clock Difference Diagrams ( CDDs ) BL P + 99 and Difference Decision Di 



agrams (DDDs) MLAH99] are constraint systems that have been invented 
to give representations of real-time systems that are more compact than 
zones. In the same manner as zones were modified into existential zones, 
we modify the definitions of CDDs (DDDs) into existential CDDs (DDDs) 
to make them suitable for verifying systems with an unbounded number of 
clocks. Below we give the definition of existential DDDs. The definition of 
existential CDDs can be stated in a similar manner. 

An existential DDD Y is a tuple (m, P,V,EJ, where m is a natural number 
denoting the minimum number of tokens in a marking satisfying Y and 
the placing P maps each token to a place in the same manner as in an 
existential zone (Section EJ. (V,E) is a finite directed acyclic graph where 
V is the set of vertices and E is the set of edges. The set V contains two 
special elements v° and v . The out-degrees of v° and v 1 are zero while the 
out-degrees of the rest of vertices are two. Each vertex v G V \ {v°, v 1 } has 
the following attributes: pos (v) , neg (v) € m°, op(v) € {<,<}, const(v) £ 
Z, and high(v), low(v) £ V. The set E contains the edges (v, low(v)) and 
(v, high(y)), where v 6 V — jv^v 1 }. In a similar manner to BDDs, the 
internal nodes of Y correspond to the if-then-else operator <p — » 4>i,4>2, 
defined as (cj) A 4>\) V (-«f) A fo). Intuitively, the attributes of the node 
represent the DBL-formula (ft = x pos ^ — x neg ^ op(v) const (v), and high{y) 
and low{y) are children of v corresponding to <j)\ and 02 respectively. The 
special vertices v° and v 1 correspond to false and true. 

Consider an existential DDD Y = (m,P,V,E), a vertex v € V, a marking 
M = ((pi,xi) , . . . , (p n , x n )) and an injection h : m 1 — > n . We say that M 
satisfies Y at v with respect to h, written M,h \= (Y,v), if P{i) = Ph(i), for 
each i £ m \ and either 

• v = v 1 ; or 
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Figure 4: Fischer's Protocol for Mutual Exclusion 

Xh( P os(v)) \ \ / M,h\= (Y, high(v)) \ 

— ~ const (v) I — M , 

%h(neg(v)) J J \ M , h \= (Y, low (v)) J 

where ~= op(v). 

As with existential zones, we can modify the operations defined in MLAH99 
to compute predecessors of existential DDDs with respect to transitions of 
a timed Petri net. To check entailment we must, as we did for existential 
zones, take into consideration all variable permutations. 

For each existential DDD Y there is a finite set Z of existential zones such 
that [y] = [V Z] . Intuitively this means that an existential DDD can 
replace several existential zones, and hence existential DDDs give a more 
compact (efficient) representation of sets of states. From Lemma 16.71 Theo- 
rem ^3 (Property EJ), and the fact that each existential DDD is the disjunc- 
tion of a finite set of existential zones we get the following result. 

Lemma 7.1. Existential DDDs are better quasi-ordered (and hence also 
well quasi-ordered). 

7.2 Fischer's Protocol 

We will now describe a timed Petri net model of a parameterized version 
of Fischer's protocol jSBM92j . The purpose of the protocol is to guarantee 
mutual exclusion in a concurrent system consisting of an arbitrary number 
of processes. The example was sugg ested by Schneider et al. |SBM92 j. The 
protocol analyzed here is in fact a weakened version of Fischer's protocol 
but since the set of reachable states of the weakened version is a superset of 
the reachable states of the original protocol, the results of our analysis are 
still valid. 

The protocol consists of each process running the code that is graphically 
described in Figure EJ Each process i has a local clock, X{, and a control 
state that assumes values in the set {^4, B, C, CS} where A is the initial state 




21 




Figure 5: Timed Petri net model of Fischer's Protocol for Mutual Exclusion 



and CS is the critical section. The processes read from and write to a shared 
variable v, whose value is either _L or the index of one of the processes. 

All processes start in state A. If the value of the shared variable is _L, a 
process wishing to enter the critical section can proceed to state B and reset 
its local clock. From state B, the process can proceed to state C within one 
time unit or get stuck in B forever. When making the transition from B to 
C, the process resets its local clock and sets the value of the shared variable 
to its own index. The process now has to wait in state C for more than 
one time unit, a period of time that is strictly greater than the one used in 
the timeout of state B. If the value of the shared variable is still the index 
of the process, the process may enter the critical section, otherwise it may 
return to state A and start over again. When exiting the critical section, 
the process resets the shared variable to _L. 

We will now make a model of the protocol in our timed Petri net formalism. 
The processes running the protocol are modelled by tokens in the places A, 
B, C, CS, A^ , B\ and CS^ . The places marked with f represent that the 
value of the shared variable is the index of the process modelled by the token 
in that place. We use a place udf to represent that the value of the shared 
variable is _L. A straightforward translation of the description in Figure 0] 
yields the Petri net model in Figure 03 q is used to denote an arbitrary 
process state. The critical section is modelled by the places CS and CS^ , so 
mutual exclusion is satisfied when the number of tokens in those places is 
less than two. 
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7.3 Results 



We have used our prototype to analyze the parameterized version of Fischer's 
protocol presented above. In order to prove mutual exclusion we examine 
the reachability of the existential zones stating that at least two processes 
are in the critical section, i.e., the following zones: 

• Z x = (2,P 1 ,D) where A(l) = A (2) = CS 

• Z 2 = (2,P 2 ,D) where P 2 (i) = CS and P 2 {2) = CS^ 
. Z 3 = (2,P 3 ,D) where P 3 (l) = P 3 (2) = CS^ 

For all three zones D(0,i) = 0, D(i,j) = oo for i ^ j. 

The reachable state space, represented by 45 existential DDDs, takes 3.5 
seconds to compute on a Sun Ultra 60 with 512 MB memory and a 360 
MHz UltraSPARC-II processor. In the process, Pre was computed for 51 
existential DDDs. 



8 Broadcast Protocols 

We consider broadcast protocols, which consist of an arbitrary number 
of identical finite-state processes, communicating through rendezvous or 
through broadcast. We assume a finite set {si, . . . , s n } of states, and a 
set {x\, . . . , x n } of variables which range over the natural numbers. A con- 
figuration 7 of a protocol is a tuple (a%, . . . ,a n ) of natural numbers, where 
cij represents the number of processes which are in the state Sj. In EFM99 
a constraint system, which we here refer to as B, is defined, where each con- 
straint is a tuple (b\, . . . , b n ) with a denotation \{b\, . . . , b n )j which is the 
upward closed set {(ai, . . . , a n ) \ (b\, . . . ,b n ) < (a±, . . . ,a n )}. In DEP99 
several new constraint systems for broadcast protocols are proposed, and 
compared with regard to the efficiency parameters mentioned in Section 0] 
The most general of these constraint systems , called AD in DEP99 , con- 
sists of conjunctions of constraints each of the form Xi x + ■ ■ ■ + x,- lk > b, 
where Xi x , . . . , Xi k are distinct variables of {xi, . . . , x n }. Two special cases 
are considered: NA where k is always equal to 1, and DV where the set 
of variables occurring in the different conjuncts are assumed to be disjoint. 
Since these new constraint systems are not constructed applying the basic 
set of constraint operations (described in Section 0]), a separate proof of 
termination is required for them. 

Applying the method of Section H] we can show bqo of AD, NA, and DV 
uniformly as follows. From properties|21and|Slin Theorem l4.11 it follows that 



23 



B is bqo. Furthermore, it is straightforward to show that each constraint 
in AD, NA, and DV is equivalent to the disjunction of a finite set of 
constraints in B. From property El of Theorem 14.11 we get 

Theorem 8.1. AD, NA, and DV are bqo. 

In fact we can derive the bqo property for a more general constraint system 
than AD, namely that consisting of basic constraints of the form a\X\ + 
• • • + dfrXk > 6, combined through conjunction and disjunction. 

9 Lossy Channel Systems 

In |A.T961 . we present a constraint system, here denoted Li, for representing 
upward closed sets of words. The constraints in Li are used in 1AJ96] for 
verification of lossy channel systems: finite state machines communicating 
over unbounded and unreliable FIFO buffers. We assume a finite alphabet 
S. For words w\,W2 G £*, we let w\ < w W2 denote that w\ is a (not 
necessarily contiguous) subword of W2- A constraint in Li is represented by 
a word w, where {wj = {w'\ w -< w w'}. 

Here, we introduce a new constraint system L2, defined as the smallest set 
such that L2 contains: 

• a, for each a G S, where [a] = {w\ a -< w w}; 
and L2 is closed under: 

• concatenation: 

[01 • 02] = {^1^2 1 wi G [<t>i\ and w 2 G [^2]}; 

• conjunction: 

[0i&0 2 ] = {w\w e and w G {fa}}; and 

• disjunction: 

[01 + 02] = {w\ w G [0i] or w G [0 2 ]}. 

Example 9.1. In Figure EJ the constraint 0i is of the 
form (a & b) • (b + c). This means that l<pi\ = 

{u>iW2\ (a < w w\) and (b < w w\) and ((6 < w W2) or (c ^ w w±))}. The 
constraint 0i is equivalent to the disjunction of the following set of 
constraints in Li: {abb, abc,bab,bac} . □ 
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Figure 6: Two constraints in L2 



The constraint system L2 is exponentially more succinct than Li. More 
precisely, each constraint <f>i E Li has a linear-size translation (through 
the concatenation operator) into an equivalent constraint cp2 € L2. On the 
other hand a constraint of the form ai& • • • Sza n (<p2 in Figure EJ) can only be 
represented in Li by the disjunction of a set of constraints of size n\; namely 
the set 

{61 • ■ ■ ■ • b n \ (61, ... , b n ) is a permutation of (a\, . . . , a n )}. 

In a similar manner to Section and Section |H] we can use properties of Li 
and L2 to conclude the following 

Theorem 9.2. L2 is bqo. 

10 Integral Relational Automata 

An Integral Relational Automaton (IRA ) operates on a set X = {x%, . . . , x n } 
of variables assuming values from the set Z of integers. The transitions of 
the automaton are labeled by guarded commands of the form g — > stmt in 
which the guard g is a boolean combination of inequalities of form x < y, 
c < x, or x < c, for x,y E X and c E 2; and where the body stmt contains, 
for each x E X, an assignment of one of the forms x := y, x := c, or x := {?}, 
for y £ X and cG2. The assignment x := {?} is a "read" operation putting 
an arbitrary integer into the variable x. A configuration 7 of an IRA is a 
mapping from X to Z. Sometimes, we write 7 as a tuple (7(0:1), . . . , 7(x n )). 
For c £ Z, we use the convention that 7(c) = c. 

A constraint system, called the sparser than system Si, is defined in |Cer94| . 
for verification of IRAs as follows. Let c m j n (c max ) be the smallest (largest) 
constant occurring syntactically in the IRA. Define C = {c m i n , . . . , c max } 
to be the set of integers between c m i n and c max . A constraint (ft in Si is a 
mapping from X to Z. In a similar manner to configurations, we assume 
7(c) = c for c E Z. A configuration 7 satisfies (ft iff for each x, y E X U C, 
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we have (i) 7(2;) < 7(2/) iff 4>{x) < 4>{y)\ and (ii) if (f>(x) < (p(y) then 
<p(y) -<p{x) < -7(x). 

Example 10.1. Assume X = {x±,X2,xs} and C = {5}. Consider a con- 
straint cf) = (10, 5, 12), then 71 = (12, 5, 17) € [</>], while 72 = (8, 5, 16) [0] 
(since 0(zi) - <f>(x 2 ) = 5 £ 72(2:1) - 72 (x 2 ) = 3), and 73 = (12,4, 17) £ [</>] 
(since 0(5) = 5 < 0(22) = 5 while 73(5) = 5 % 73(22) = 4). □ 

We introduce a new constraint system §2, such that a constraint <p in §2 is 
a conjunction of conditions of the forms c < x, x < c, and c < y — x, where 
x,y £ X and c € -Z. The satisfiability of (j) by a configuration 7 is defined 
in the obvious way. 

Example 10.2. Assume X = {xi,x%} and C = {5}. The constraint 5 < 22 
in §2 is equivalent to the disjunction of the following set of constraints in 
Si: 

{(4, 7) , (5, 7) , (6, 7) , (7, 7) , (8, 7)}. Notice that the constraints correspond to 
the different relative values which x\ may have with respect to the constant 
5 and the variable x<i- □ 

In a similar manner to the constraint systems in the previous sections, we can 
show that §2 is exponentially more succinct than Si and that the following 
theorem holds. 

Theorem 10.3. S2 is bqo. 



11 Conclusions and Future Work 

We have proposed better quasi- ordering 'S, a refinement of the theory of well 
quasi- ordering, as a framework for symbolic model checking since they al- 
low us to build constraint systems which are more compact than previous 
ones. For instance, we show better quasi-ordering of complex expressions for 
upward closed sets of words, used for verification of lossy channel systems 
and for arbitrary boolean combinations of linear inequalities, used for ver- 
ification of broadcast protocols. We also achieve similar results for binary 
constraints which can be applied for model checking of real-time systems 
and relational automata. 

We have introduced a new constraint system, existential zones for verifica- 
tion of real-time systems with an unbounded number of clocks. Using and 
modifying efficient data structures for verification of real-time automata, 
we have obtained some encouraging experimental results. One direction for 
future work is to design efficient data structures for manipulating the new 
constraint systems. It would also be interesting to investigate the feasibility 
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of defining a general framework for implementation of better quasi-ordered 
constraint systems. 

Furthermore, in addition to disjunction, better quasi-orderings are closed 
under several other operations which do not preserve well quasi-ordering. 
An example is that better quasi-orderings are closed under the operation 
of taking infinite sets and infinite words. This means that we can consider 
much richer structures for building constraints. Therefore, although the 
main concern of this work is that of efficiency, we believe that the approach 
will eventually also lead to decidability results for new classes of infinite-state 
systems. 
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